Sarahah app’s uploading of contacts to servers could be a security risk, experts say
Popular app Sarahah was discovered to be uploading user address books and contact numbers without clarifying why it is doing so.
The process was discovered by Bishop Fox senior security analyst Zachary Julian, according to a report by The Intercept.
Article continues after this advertisementApparently, the process of uploading contacts happens the first time Sarahah is loaded. It immediately scans the device it is installed on and starts transmitting information to its servers.
However, Sarahah creator Zain al-Abdin Tawfiq tweeted that the app did this due to a planned feature that never pushed through. He also assures that a future update will remove this functionality.
The line of code instructing the app to do this was supposed to be removed by a partner working on the feature before development on it stopped. Good news is, the function was removed from the servers, which means that the information being transmitted by the app is not being saved, Tawfiq explained to The Intercept.
Article continues after this advertisementThis function was supposed to be used for a “find your friends” feature.
According to security firm Red Mesa founder Drew Porter, this kind of app function is more common than people think. The trouble is that since it happens too often, it’s become difficult to ensure the safety of the data being transmitted on the server side.
Apple iOS and Android generally asks users if they want apps to access information on their devices, especially starting from Android 6.0 Marshmallow where security is more specific. This gives smartphone owners a level of control on their personal information.
The danger lies in attackers targeting servers with less-than-ideal security measures. From this perspective, personal information is now put at risk.
Sarahah has been rated as being among the top five most downloaded app today, according to analytics firm App Annie.
Until a fix can be made available, Julian suggests that Sarahah should inform users what data is being gathered, where it is being sent, and what it is specifically being used for. Alfred Bayle/JB
RELATED STORIES:
Android 8.0 Oreo claims to be twice as fast as Android Nougat
Apple’s iOS 11 will feature Touch ID ‘quick disable’
‘The Invisible Man’ smartphone malware targets bank customers in major countries